Open Noodlez1232 opened 2 years ago
I totally forgot to elaborate on the bottom part. That's the current command I use for my NOTIFY_CMD, and I get quite a few files in my home folder, especially fragments of emoticons like >:(
becomming :(
instead of "echo {msg}", "echo '{msg}'" is the diference that you are looking for
and by default NOTIFY_CMD uses /usr/local/bin/terminal-notifier, this file is for mac, and by default NOTIFY_CMD uses specific syntaxis of that command for linux you can use your custom NOTIFY_CMD command, like with notify-cmd or create the /usr/local/bin/terminal-notifier file and handle the args
The NOTIFY_CMD variable just templates various things into the command given in NOTIFY_CMD. The formatted string doesn't escape things like quotation marks, nor things like
>
or[[
making not only a very buggy experience, but not a very secure one.If you want proof, set NOTIFY_CMD to something like "echo {msg}", and have somebody send you something like
hello > bad_file
. The filebad_file
is created with "hello" in it. This also makes it really easy to execute arbitrary commands by sending something like; rm -rf --no-preserve-root /
.I'm not quite sure how NOTIFY_CMD works, but the correct solution would probably be to quote the various inputs before sending them out to be run by
sh
.